我正在使用sam这样定义dynamodb表:
#DynamoTables
DevicesTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: devices
AttributeDefinitions:
-
AttributeName: "id"
AttributeType: "S"
-
AttributeName: "customerId"
AttributeType: "S"
KeySchema:
-
AttributeName: "id"
KeyType: "HASH"
-
AttributeName: "customerId"
KeyType: "RANGE"
GlobalSecondaryIndexes:
-
IndexName: "customers"
KeySchema:
-
AttributeName: "customerId"
KeyType: "HASH"
Projection:
ProjectionType: "ALL"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
我可以使用在sam中定义Properties: Policies: AmazonDynamoDBFullAccess的lambda函数访问表,并在TableName: 'devices'中使用node定义放置参数。但是,当我尝试通过这样对索引定义查询来查询索引时:
params = {
TableName: 'devices',
IndexName: 'customers'
// ...
}
我收到一条错误消息,指出lambda函数没有访问该索引的权限:
AccessDeniedException:用户:用户:arn:aws:sts :::: assumed-role / CodeStarWorker-Lambda / awscodestar-lambda-DeviceFunction未经授权 执行:dynamodb:查询资源:TABLEURL / devices / index / customers
有人知道我可以授予此访问权限或解决此问题以查询索引的方法吗?
更新:
我不认为AmazonDynamoDBFullAccess策略会影响任何事情,当我从template.yml中删除它时,我仍然可以放到表中并且仍然无法查询索引。我必须手动添加角色吗?
答案 0 :(得分:0)
您的lambda有权访问TABLEURL /设备,但不能访问TABLEURL /设备/索引/客户。我没用过山姆。我正在使用无服务器框架,但事情应该类似。您需要将对* / index / customers的访问权限添加到您的角色策略。我的yaml文件中的该部分如下所示:
Resource:
- "Fn::GetAtt": [CfpTable, Arn]
- "Fn::Join": ["/", [{ "Fn::GetAtt": ["CfpTable", "Arn"] }, "index", "reverse-index"]]
这是aws文档中的一个示例,说明如何允许访问数据库的所有索引。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessAllIndexesOnBooks",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Books",
"arn:aws:dynamodb:us-west-2:123456789012:table/Books/index/*"
]
}
]
}